During the February plenary meeting, the Article 29 Working Party (WP29) discussed certain critical matters with regards to the implementation of the General Data Protection Regulation (GDPR) and of the Privacy Shield as well as the handling of enforcement measures on cases having a cross-border effect (press release, pdf)1. IMPLEMENTATION OF THE GDPRThe deadline for the submission of comments on the pre-adopted DPO, lead authority and data portability guidelines has been extended until February 15, 2017. Accordingly, it has been agreed that the rapporteurs will review such comments and submit the amended guidelines for adoption at the next plenary session in April at the latest.The WP29 has also continued its work on the 2016 ongoing topics of Data Protection Impact Assessments (DPIAs), certification and other internal topics (e.g. administrative fines, EDPB internal rules).On DPIAs, the work is almost finalized and the final version of the guidelines should be proposed for pre-adoption in April. Regarding certification, the European Commission announced that it will launch a study that could provide added-value to the work done by the WP29 until now. In addition, a one day workshop shall be organized between DPAs in April to finalize the drafting of the guidelines. Their pre-adoption is expected for June.[emphasis added]Following the publication of the 2017 GDPR Action Plan, the WP29 has established, the delegation of tasks within its working groups and the working calendar for the adoption of all relevant guidelines and other documents.The WP29 has also confirmed the dates for its second Fablab on April 5 and 6, 2017 in Brussels. This interactive workshop will concentrate on the topics of consent, profiling and notification of data breaches. [...]2. PRIVACY SHIELD
[...] Finally, the WP29 shall send a letter to the US authorities (i) pointing out concerns and asking clarifications on the possible impact of the Executive Order 'Enhancing Public Safety in the Interior of the United States' on the Privacy Shield and the Umbrella agreement, (ii) requesting assurances on the way personal data will be dealt with by US authorities regarding complaints under the Privacy Shield and (iii) providing answers to questions from the US authorities on the functioning of the centralized body. [...]3. ENFORCEMENT SUBGROUPThe WP29 has initiated detailed inquiries into the processing of personal data processed via Windows 10 by Microsoft. [...]Also, the topics of WhatsApp and Yahoo were briefly discussed at the meeting and a contact group has been created for the follow-up of privacy related issues with regards to connected toys.4. OTHERTwo opinions will be prepared by the WP29 on (i) the e-privacy regulation proposed by the European Commission on January 10, 2017 and (ii) the revised EU regulation 45/2001 on the processing of personal data by European institutions and bodies. Both opinions should likely be submitted for adoption in April 2017. [emphasis added]Finally, the WP29 shall send very shortly a formal letter to the European Council on the necessity for national governments to provide increased resources to Data Protection Authorities in view of the application of the GDPR. The letter will then be circulated to Member State governments. [emphasis added]
Source: Article 29 Working Party

10.02.2017

Smartphone Secure Development Guidelines (pdf)This document is an updated version of the Smartphone Development Guidelines published by ENISA in 2011. New developments in both software and hardware have been translated into new significant threats for the mobile computing environment, highlighting the need for an update of the document (published February 10, 2017).
Source: ENISA

According to ENISA, The guidelines aim to cover the entire
spectrum of attacks which developers of smartphone applications should
consider when building mobile apps. These include:

Identify and protect sensitive data

User authentication, authorization and session management

Handle authentication and authorization factors securely on the device

Ensure sensitive data protection in transit

Secure the backend services and the platform server and APIs

Secure data integration with third party code

Consent and privacy protection

Protect paid resources

Secure software distribution

Handle runtime code interpretation

In addition, new sections have been added to cover new attacks, abusing biometrics and clients:

Über mich

Working at Research Institute https://www.researchinstitute.at. Co-founder and board member of Privacyofficers.at (Association of Austrian DPOs). Former Legal Counsel and Data Protection Officer at Medical University of Vienna. Prior to that, I was working at the Austrian Parliament and as a legal research associate at the University of Hanover (Germany), IRI - Institute for Legal Informatics (Prof. Forgó). Earlier, I was an inhouse lawyer at the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR-GmbH).
I received my legal education at the University of Vienna (Austria) and University of Oslo (Norway), before attending a postgraduate course in IT-Law at the University of Vienna. I am an alumnus of IVLP ("Data Privacy and Principles" organized by the DoS). My publications are mainly dealing with Austrian and European Union Data Privacy Law. Certified Information Privacy Professional (CIPP/E).